Teaching Network Security with IP Darkspace Data Tanja Zseby, Felix - - PowerPoint PPT Presentation

▶

Feb 14, 2024 444 likes •615 views

Teaching Network Security with IP Darkspace Data Tanja Zseby, Felix Iglesias Institute of Telecommunications Faculty of Electrical Engineering and Information Technology TU Wien September 9, 2019 TU Wien Network Security Classes Two

SLIDE 1

Teaching Network Security with IP Darkspace Data Tanja Zseby, Felix Iglesias

Institute of Telecommunications Faculty of Electrical Engineering and Information Technology TU Wien September 9, 2019

SLIDE 2

TU Wien Network Security Classes

Two Security Courses for Master students

– Theory Lectures (6 x 90 min) è written exam – Lab Exercises (6 x180 min), Teams of 2 è Report – Lab Review (oral exam) – Classes offered since 2014, continuously updated – 2014: 35 students è 2019: 88 students

1. Network Security

– Lab: IP Darkspace Analysis – Data: CAIDA IP darkspace data

2. Network Security Advanced

– Lab: Network Steganography – Data: Modified MAWI Dataset (WIDE)

2019-09-09

T. Zseby, DUST 2019

2

SLIDE 3

Educational Objectives

Research-oriented teaching concept

– Include current research in the classroom

Class objectives:

– Familiarize students with network data analysis methods – Provide students in-depth understanding of TCP/IP flow behavior – Deepen students' network security knowledge – Enable students' general scientific work skills – Increase exploratory and forensics analysis skill – Awaken the scientist in each student

2019-09-09

T. Zseby, DUST 2019

3

SLIDE 4

Students

International students

– Different bachelor programs è Different skills

Different Masters programs

– Electrical engineering

Telecommunications
Embedded Systems

– Computer Science – Future: Data Science Master

Ideal: if students from different programs team up

– EE students with matlab, signals and systems experience – CS students with programming and Linux skills

2019-09-09

T. Zseby, DUST 2019

4

SLIDE 5

NetSec Lab: IP Darkspace Analysis

CAIDA IP Darkspace Data (Telescope Data)

– Each Team gets different set of IP darkspace data – Students required to use recommended tools

Exercises

2019-09-09

T. Zseby, DUST 2019

5 Attacker normal host normal host normal host IPa … IPn

Darkspace

tcpdump wireshark corsaro/silk

pcap

1. preprocessing/

aggregation

2. Uni/bivariate analysis
3. Time Series
4. FFT

matlab RapidMiner

flowtuples, csv Report

SLIDE 6

Example Exercises

2019-09-09

T. Zseby, DUST 2019

6

SLIDE 7

Data Analysis (Examples from Reports)

2019-09-09

T. Zseby, DUST 2019

7 TTL

Temporal Patterns (FFT) Time Series Distributions Scatterplots

SLIDE 8

Identifying Backscatter

2019-09-09

T. Zseby, DUST 2019

8 Attacked HTTP server

Dark space

TCP SYN with spoofed srcIPs

i n

Attacker/s

80 i k n

…

TCP, 0x12 (SYN-ACK)

j k 80

SLIDE 9

Student Feedback

2019-09-09

T. Zseby, DUST 2019

9

what did you enjoy most? “labs were fun and engaging ” “the moments: when you successfully finish an exercise” What could be improved? “tool-tutorials before the class ” “more free exploration exercises” “more exercises!; to be honest, I could have done another three exercises, it was fun!”

[feedback provided by 14 students]

SLIDE 10

(Some) Lessons Learned

Working with real measurement data

– Boosts motivation, triggers research spirit – Encourages to check theory vs. reality – Teaches responsible handling of data – Unique data set per team è cheating detection

But: A lot of effort

– Maintaining lab environment – Correcting reports – Unexpected effects è need to check data before

Enforce pre-requisites
Form heterogeneous teams
Introduce variety of tools, then allow free choice
“Keep it Fun!” (story, easter eggs)

2019-09-09

T. Zseby, DUST 2019

10

SLIDE 11

Benefits

Students work with real data

– A lot of positive responses

Students learn about attacks

– Scanning – Backscatter – But: only some attacks visible and mainly missed attack attempts, attack consequences not the attack itself

Plenty of data available

– Every team can get own data set – Teams may discover new things

2019-09-09

T. Zseby, DUST 2019

11

SLIDE 12

Limitations/Challenges

General limitations of darkspace traffic

– No bi-directional flows, no connections – No Labels (not suitable for testing algorithms)

Operational limitations

– Huge files, huge effort for getting most recent data – No filter options – Data needs to stay in lab (students sign CAIDA agreement)

Anonymization

– Limits analysis options (e.g., geolocation)

è 2019 lab used only aggregated DS data

– Now students do own attacks, preprocessing exercises with captured data

2019-09-09

T. Zseby, DUST 2019

12

SLIDE 13

Whish List 1: Providing Data

Offer customized data files

– Data in different formats and sizes (file sizes, time intervals) – Different aggregation schemes – Filtered data (e.g., removing repetitive instances, 445 scans, etc.) – Pre-processed data (10-min captures, flows, time- series, etc.) – Ideal: flexible filter/aggregation options (different flow keys, time series,…)

Provide Labels

– Automatized analysis – Provide classification tools, scripts

2019-09-09

T. Zseby, DUST 2019

13

SLIDE 14

Wish List 2: Remote Data Analysis

Possibilities for students to work on data remotely

– Remote work environment for multiple teams – Working on most recent data

Provide standard analysis environments

– Standard tools and programming environments – e.g., matlab, python, scikit-learn, Rapidminer? – Repeatability

Still provide the possibility to download parts

– User friendly query options ("time period", "signals", "sampling time", "filtering options”)

Provide info material, examples, tutorials

– Possibility to share/discuss findings with others (CAIDA researchers, other groups?

2019-09-09

T. Zseby, DUST 2019

14

SLIDE 15

Available Material

IP Darkspace Data è available at CAIDA
MAWI Data: http://mawi.wide.ad.jp/mawi/
Teaching material è available to other teachers

– Exercise Sheets – Solver scripts – Report templates – Evaluation and Grading Scheme http://www.tc.tuwien.ac.at/netsec-lab

2019-09-09

T. Zseby, DUST 2019

15 Zseby, Iglesias, Bernhardt, Frkat, Annessi: "A Network Steganography Lab on Detecting TCP/IP Covert Channels"; IEEE Transactions on Education, 59 (2016), 3; 224 - 232. Zseby, Iglesias, King, Claffy: "Teaching Network Security With IP Darkspace Data"; IEEE Transactions on Education, 59 (2015), 1; 1 - 7.

SLIDE 16

Teaching Network Security with IP Darkspace Data Tanja Zseby, Felix Iglesias

Institute of Telecommunications Faculty of Electrical Engineering and Information Technology TU Wien September 9, 2019

TU Wien Network Security Classes

– Theory Lectures (6 x 90 min) è written exam – Lab Exercises (6 x180 min), Teams of 2 è Report – Lab Review (oral exam) – Classes offered since 2014, continuously updated – 2014: 35 students è 2019: 88 students

– Lab: IP Darkspace Analysis – Data: CAIDA IP darkspace data

– Lab: Network Steganography – Data: Modified MAWI Dataset (WIDE)

2019-09-09

2

Educational Objectives

– Include current research in the classroom

2019-09-09

3

Students

– Different bachelor programs è Different skills

– Electrical engineering

– Computer Science – Future: Data Science Master

– EE students with matlab, signals and systems experience – CS students with programming and Linux skills

2019-09-09

4

NetSec Lab: IP Darkspace Analysis

– Each Team gets different set of IP darkspace data – Students required to use recommended tools

2019-09-09

5 Attacker normal host normal host normal host IPa … IPn

Darkspace

tcpdump wireshark corsaro/silk

pcap

aggregation

matlab RapidMiner

flowtuples, csv Report

Example Exercises

2019-09-09

6

Data Analysis (Examples from Reports)

2019-09-09

7 TTL

Temporal Patterns (FFT) Time Series Distributions Scatterplots

Identifying Backscatter

2019-09-09

8 Attacked HTTP server

Dark space

Attacker/s

…

Student Feedback

2019-09-09

9

[feedback provided by 14 students]

(Some) Lessons Learned

– Boosts motivation, triggers research spirit – Encourages to check theory vs. reality – Teaches responsible handling of data – Unique data set per team è cheating detection

– Maintaining lab environment – Correcting reports – Unexpected effects è need to check data before

2019-09-09

10

Benefits

– A lot of positive responses

– Scanning – Backscatter – But: only some attacks visible and mainly missed attack attempts, attack consequences not the attack itself

– Every team can get own data set – Teams may discover new things

2019-09-09

11

Limitations/Challenges

– No bi-directional flows, no connections – No Labels (not suitable for testing algorithms)

– Huge files, huge effort for getting most recent data – No filter options – Data needs to stay in lab (students sign CAIDA agreement)

– Limits analysis options (e.g., geolocation)

– Now students do own attacks, preprocessing exercises with captured data

2019-09-09

12

Whish List 1: Providing Data

– Automatized analysis – Provide classification tools, scripts

2019-09-09

13

Wish List 2: Remote Data Analysis

– Remote work environment for multiple teams – Working on most recent data

– Standard tools and programming environments – e.g., matlab, python, scikit-learn, Rapidminer? – Repeatability

– User friendly query options ("time period", "signals", "sampling time", "filtering options”)

– Possibility to share/discuss findings with others (CAIDA researchers, other groups?

2019-09-09

14

Available Material

– Exercise Sheets – Solver scripts – Report templates – Evaluation and Grading Scheme http://www.tc.tuwien.ac.at/netsec-lab

2019-09-09

15

Thank you!